2. Who am I?
Tatar Balazs Janos
Hungarian, lives in Brussels
Works with Drupal since 2007
Provisional Member of Drupal Security Team
Technical PM and former QA Lead @ EC-DIGIT
28. Twig in drupal8
No SQL queries
No access to drupal APIs
Automatic escaping
29. Sanitization in drupal8
Html::escape() – plain text
Xss::filter() – html is allowed
Xss::filterAdmin() – text by admins
@variable – string or MarkupInterface object
%variable – wrapped in <em>
:variable – url for href
50. Fixing SQL Injection
Use always drupal Database API
db_query with :placeholder
(deprecated in D8, in D9 will be removed)
Filter parameters
db_like()
52. Fixing CSRF
Use Form API
Send and validate token properly
In D8 use the built-in csrf_token
53. Security improvements in Drupal 8
Twig
No PHP filter in core
Local image filter
WYSIWYG in core (advanced filtering)
Built-in CSRF token mechanism
54. Learn by advisories
Report issues on security.drupal.org
Security advisories are for
• Only stable modules
• No alpha, beta, dev
• d.org hosted modules
@Maintainers: If you are contacted, be supportive!
57. Project applications on drupal.org
New contributors
Release management – stable
Power of the community
Automated (pareview.sh) and manual code review
58. Security related contrib modules
Hacked!
Security review (simplytest.me)
Paranoia
Password policy
Encrypt
Drop Guard
Guardian
Composer Security Checker
Permission report
Text format reported
And so on...
+ PHPCS Drupal BestPractice Sniff